Users that are categorized together by levels of access and permissions are added to _____.

On this page

What are Users?

Anyone who visits your website is a user, including you. There are three groups of users:

• Users who are not logged in, or anonymous users
• Users who are logged in, or authenticated users
• The administrative user account that was automatically created when you installed your site, or User 1. See Section 7.2, “Concept: The User 1 Account”.

What are Permissions?

The ability to do actions on your site (including viewing content, editing content, and changing configuration) is governed by permissions. Each permission has a name (such as View published content) and covers one action or a small subset of actions. A user must be granted a permission in order to do the corresponding action on the site; permissions are defined by the modules that provide the actions.

What are Roles?

Rather than assigning individual permissions directly to each user, permissions are grouped into roles. You can define one or more roles on your site, and then grant permissions to each role. The permissions granted to authenticated and anonymous users are contained in the Authenticated user and Anonymous user roles, and depending on the installation profile you used when you installed your site, there may also be an Administrator role that is automatically assigned all permissions on your site.

Each user account on your site is automatically given the Authenticated user role, and may optionally be assigned one or more additional roles. When you assign a role to a user account, the user will have all the permissions of the role when logged in.

It is a good practice to make several roles on your site. In the farmers market site example, you might want the following roles:

• A Vendor role that allows vendors to edit their own vendor listing page
• A Content editor role for editing the general farmers market pages
• A User manager role for managing the vendor accounts
• The Administrator role that was installed with your site, for expert users to manage the site configuration

• Section 7.3, “Creating a Role”
• Section 7.5, “Assigning Permissions to a Role”
• Section 7.6, “Changing a User’s Roles”
• Section 7.4, “Creating a User Account”
• Section 7.2, “Concept: The User 1 Account”
• Section 7.7, “Assigning Authors to Content”

Source file: user-concept.asciidoc

Help improve this page

Page status: No known problems

You can:

• Log in, click Edit, and edit this page
• Log in, click Discuss, update the Page status value, and suggest an improvement
• Log in and create a Documentation issue with your suggestion

Introduction

This document explains how directory and file permissions on a UNIX or Linux machine are set and can be changed by the user. This allows you to share files or directories or to lock them down to be private. If you want to set file or directory permissions by right-clicking on the file or directory and checking or unchecking boxes, you can do that in a GUI file transfer software interface like with the MobaXterm, SSH Secure Shell client, WinSCP etc. If you are logged onto a Linux box running an Xsession you can use the Windows Explorer equivalent for Linux with either the nautilus or konqueror commands. Otherwise, this document provides a full explanation of how the UNIX command chmod works.

You can see the permissions of your file using the ls command with the -l option (lowercase L not 1):

% ls -l myfile.txt

will return a long string of information that starts with the file’s permissions:

-rw-r--r--

Every file and directory under UNIX or Linux has a set of permissions associated with it that is shown as a three digit number (such as 755). These permissions are categorized into three groups who have or do not have the permissions:

• the file owner
• the owner’s group
• everyone else who has access to the server (referred to as “other”)

These three groups, in turn, may or may not have three different privileges:

Thus, there are nine total variables:

• permission for the owner to:

1. read the file

2. write to the file

3. execute the file

• permission for the owner’s group members to:

1. read the file

2. write to the file

3. execute the file

• permission for others to:

1. read the file

2. write to the file

3. execute the file

These variables are organized into a three by three array as follows:

owner group other

read  (r)             4          4          4

write  (w)            2          2          2

execute  (x)           1          1          1

-----------        -----      -----       -----

total  value           7          7          7

Column Values

The three by three array above shows the basis for describing the set of nine permissions. Note that each permission has a numeric value associated with it:

If a permission is denied, then its value is always zero. (In the example above, all permissions have been granted.) For each category of user (owner, group member, or other) these three permission values potentially add up to seven. If we deny one or more type of permission, then that value (4, 2, or 1) is subtracted from the value for that category of user. Thus, if we wish to deny write permission to the owner’s group, we subtract 2 from the total of that permission, which leaves a column value of 5. And if we wish to deny both write and execute permissions to “others,” we subtract both 2 and 1, leaving a value of 4. These changes are shown in the array below:

owner group other

read  (r)          4         4        4

write  (w)          2         0        0

execute  (x)        1         1        0

-----------       -----     -----    -----

total  value        7         5        4

The total value is now 754 rather than 777. Note that whatever combination of permissions we create, the numbers will always be a unique representation of that combination, as shown in the following chart:

Column Value Permissions       Represented by

------------ -----------       --------------

0           none                ---

1        execute-only           --x

2           write               -w-

3     execute  and  write       -wx

4          read-only            r--

5    read  and  execute         r-x

6       read  and  write        rw-

7  read,  write,  and  execute  rwx

Total Value

Just as each column designates a specific combination of permissions, so the total value represents a specific combination of permissions associated with user types since the order is always given as: owner group other. Thus, from any three digit total value, you can deduce each of the nine possible permissions. This three-digit “total value” (in the examples above, 777 and 754) is used in defining and changing permissions, as described below. Remember that this total value is always given in the order: owner group others.

Setting Permissions

When you wish to set the mode of a file (set the permissions) you use the UNIX command chmod at the system prompt. As you become familiar with the chmod command, try using the -v option for a verbose response as in the following example:

% chmod -v 640 myfile.txt

mode  of  `myfile.txt'  changed  to  0640  (rw-r-----)

This command designates that the file named myfile.txt has read and write (rw-) permission for the owner (you), read-only (r–) permission for the group members, and no access permissions for others (—). Remember that the permissions for “owner” are always first and the permissions for “other” are always last. Setting permissions for a directory follows exactly the same procedure; you would simply substitute the directory name for the file name.

You can also use the letters r, w, and x to set read, write, and execute permissions and the letters u, g, o, and a to specify user, group, other or all:

% chmod -v a+x myfile.txt

mode  of  `myfile.txt'  changed  to  0751  (rwxr-x--x)

The above adds the executable permission for all users.

In this example group members are granted read-only permission:

% chmod -v g=r myfile.txt

mode  of  `myfile.txt'  changed  to  0741  (rwxr----x)

Here are some examples that if done in the following order would set the permissions as shown:

Setting Permissions Without Specifying u, g, o, or a

Permissions are set for user, group, and other if u, g, o, or a are not specified, but your umask (user file-creation mask) comes into play which makes things complicated. The most common umask is 022 which means that when you create a new directory the permissions are not the default of 777 ( drwxrwxrwx) but rather 777 – 022 which is 755 ( drwxr-xr-x). And when you create a new file, the permissions are not the default 666 ( -rw-rw-rw-) but rather 666 – 022 which is 644 ( -rw-r–r–).

The following will happen if your umask is the most common umask of 022:

This last example is often used in documentation when the user is being instructed to make the file executable.

The reason to use the number system over the letter system to set permissions is that using the numbers allows you to set the permissions to be different for user, group, and other in one issue of the chmod command and is not reliant on how the permissions are currently set. It is good practice to use -v (verbose) option of the chmod command to see what the permissions changed to since your umask may have had a role in the creation of the permissions.

Paths and Permissions

In order for you to be able to set permissions for a file or directory, UNIX must first be able to find the file or directory. Thus, if you are not in the directory that contains the file or directory for which you are setting permissions, you must provide a path name. For example, if you were in your home directory and you wished to set permissions for a file called myfile.txt in a directory called files located in your home directory, you would use the following command:

% chmod -v 644 files/myfile.txt

mode  of  `files/myfile.txt'  changed  to  0644  (rw-r--r--)

Determining Current Permissions

To determine the current permissions for a file or directory, use the ls command with the -l (lowercase “L,” not the number one “1”) option, as in the following example:

% ls -l myfile.txt

At the left of the resulting line of output will be the list of permissions expressed as a series of ten letters and hyphens. The last nine spaces are divided into groups of three, each of which will have, in order, an r (read), w (write), and x (execute) or, if that permission has been denied by the file owner, a hyphen (-) in its space. As in setting permissions, the three groups of three are given in the order: owner group other. For example, the file whose mode was set above as 644 would have the letters:

-rw-r--r--

This sequence shows that ” myfile.txt” is an ordinary file (the first dash; a ” d” in this location indicates directory) with read and write permission for the owner ( rw-), read-only permission for the owner’s group members ( r–), and read-only permission for others ( r–). If we change the mode again using the command:

% chmod -v 765 myfile.txt

mode  of  `files/myfile.txt'  changed  to  0644  (rw-r--r--)

then the ls -l myfile.txt command would show as the permissions:

-rwxrw-r-x

Naturally, only the owner can modify the permissions for a file or directory.

Directory vs. File Permissions

UNIX is a “top-down” environment. This means that if you deny “group” or “other” permissions to a directory, all subdirectories and files within that directory will be denied the permissions established at the directory level though the settings will appear not to have changed. For example, if the permissions to directory projects are: drwxr-xr-x and for subdirectory project1 are: drwxr-xr-x and you deny “group” and “other” permissions to access directory projects such that the permissions are now: drwx—— the permissions of subdirectory project1 visually remain the same: drwxr-xr-x but members of the group and others do not really have the permissions that are shown for subdirectory project1. This works the same way but in reverse when you create a subdirectory and set permissions to allow group members and others to access the directory. They will not be able to access the directory if they do not have access permissions for all previous directories in the path to the directory you want them to have permission to access.

The minimum permission for access to a directory is execute (x).

Groups

As discussed above, there is a set of permissions for “group” associated with each file and directory. As this implies, every user of a UNIX system is a member of one or more groups. When an account is created, its user is assigned to a group, usually the user’s academic designation. The group ID number that appears on the user’s entry in the password file indicates the user’s “primary” group. Groups are designated by both a name (“faculty” for example) and a group ID number (201 is the number for faculty). The group number is arbitrary, and it will always be greater than 100. One can also be a member of one or more “secondary” groups. Unlike your primary group ID, the secondary group ID number is not on your entry in the password file.

To see your group ids and all the groups of which you are a member, use the UNIX command id:

%  id

If you own a file and if you are also a member of more than one group, you can modify the group “ownership” of that file using the chgrp command, as shown in the following example:

% chgrp marine myfile.txt

In this example, ” marine” is the name of the group you wish to have permissions. Note that this in no way affects the individual ownership of the file; it merely changes the group to which the group permissions apply. Only the owner can make this change (and the system administrator, of course) and the owner must be a member of both the groups involved-that is, the default group assigned to you when your login was created, and the new group to which you are granting permissions.

Getting Started on UNIX/Linux

Which permission allows a user access to a resource?

What is a permission set group quizlet?

What are the various user and group permissions?

What is user level access?